Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bank of NY Loses Tapes With 4.5 Million Clients' Data

Soulskill posted more than 6 years ago | from the way-to-go dept.

Security 156

Lucas123 brings news that Bank of New York Mellon Corp. has admitted they lost a box of unencrypted data storage tapes. The tapes contained personal information for over 4.5 million people. From Computerworld: "The bank informed the Connecticut State Attorney General's Office that the tapes ... were lost in transport by off-site storage firm Archive America on Feb. 27. The missing backup tapes include names, birth dates, Social Security numbers, and other information from customers of BNY Mellon and the People's United Bank in Bridgeport, Conn., according to a statement by Connecticut Attorney General Richard Blumenthal.

cancel ×

156 comments

Sorry! There are no comments related to the filter you selected.

More importantly .. (4, Funny)

Spacejock (727523) | more than 6 years ago | (#23608233)

did they lose the station wagon the tapes were being transported in?

Re:More importantly .. (2, Funny)

Gazzonyx (982402) | more than 6 years ago | (#23608297)

No, they lost the intern this time. If we're lucky it'll be the consultant next time! ;)

Re:More importantly .. (2, Funny)

commodoresloat (172735) | more than 6 years ago | (#23608339)

Luckily, the tapes were all 8-track tapes so the authorities have said not to worry, nobody will be able to do anything with them.

Re:More importantly .. (1)

mrbluze (1034940) | more than 6 years ago | (#23608359)

Luckily, the tapes were all 8-track tapes so the authorities have said not to worry, nobody will be able to do anything with them.
But the white noise sounds fantastic in 8 channel surround sound!

Re:More importantly .. (0)

Anonymous Coward | more than 6 years ago | (#23608641)

With the current state of our courts, do you suppose they will be charged with "negligent terrorism"?*

*(I wish that my joke couldn't fit in reality)

Re:More importantly .. (0)

Anonymous Coward | more than 6 years ago | (#23608729)

I can really not understand how can lose tapes while driving them from A to B. Maybe they left them on the counter at Mc Donald's while taking a coffee break?

I can only suspect that they were "lost" in a financially positive way for some lucky guy.

Re:More importantly .. (3, Informative)

jagilbertvt (447707) | more than 6 years ago | (#23608867)

Apparently the courier's van had a broken lock on the door. Also, from what I've heard, the tapes were encrypted when they were sent to Mellon, who then created unencrypted backups which were transported to another location.

http://www.peoples.com/online/help/0,,14408,00.html?cm_mmc=Peoples-_-incident-_-hp-_-whatsnew [peoples.com]

New Unit (4, Funny)

Wellington Grey (942717) | more than 6 years ago | (#23608237)

While it may look bad, it's still only 1/5th of a metric Britain [zdnet.co.uk] .

-Grey [silverclipboard.com]

Re:New Unit (1)

dotancohen (1015143) | more than 6 years ago | (#23608929)

While it may look bad, it's still only 1/5th of a metric Britain [zdnet.co.uk] .
How many cows is that? [sensibleunits.com]

Re:New Unit (1)

YukiCuss (960733) | more than 6 years ago | (#23609063)

According to Wikipedia [wikipedia.org] , the average USian is 80kgs.

Hence: 14 RMS Titanics!

Re:New Unit (0)

Anonymous Coward | more than 6 years ago | (#23609239)

That's like 5 Hiroshimas!

Unencrypted? (5, Interesting)

cephah (1244770) | more than 6 years ago | (#23608261)

I thought you had an obligation to encrypt data containing sensitive personal information such as SSNs when transporting them? In Denmark you are required by law to store such data safely, I wonder if it's any different in the US.

Re:Unencrypted? (0)

Anonymous Coward | more than 6 years ago | (#23608325)

If Denmark is anything like Germany, then you are required by law to be really cautious with collecting and storing personal information, but if you don't meet the requirements, then there are no punitive measures (except for an angry letter from the data protection officer whose only power it is to remind people of the requirements.)

Re:Unencrypted? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23608441)

Denmark is not like Germany. Denmark is the Canada of Europe.

Re:Unencrypted? (0)

Anonymous Coward | more than 6 years ago | (#23608565)

Denmark is not like Germany. Denmark is the Canada of Europe.
WRONG.

Sweden is the Canada of Europe.

Denmark is more like the Rhode Island of Europe.

Re:Unencrypted? (0)

Anonymous Coward | more than 6 years ago | (#23608343)

Especially after having the advantage of witnessing SEVERAL similar tape thiefs over the last year or so. At this point regulation should be put in to require the encryption. (rather than it just being a nifty f*cking idea.)

I'd recommend some penalties for failing to do this, but we know at worst they'll be fined a sum far less than what they could get by selling the stolen data themselves.

Re:Unencrypted? (4, Informative)

BiggerIsBetter (682164) | more than 6 years ago | (#23608369)

Just make the punishment fit the crime: Release the personal information of the company directors into the wild.

Re:Unencrypted? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23608397)

They already did.
Don't you think they use their own bank?

CAPTCHA "Contempt" is somehow appropriate.

Re:Unencrypted? (4, Insightful)

mrbluze (1034940) | more than 6 years ago | (#23608419)

Don't you think they use their own bank?
What and get exposed for tax evasion when they get audited?

Re:Unencrypted? (0)

Anonymous Coward | more than 6 years ago | (#23609467)

yah clown. and let's execute you for being a retard

Re:Unencrypted? (0)

Anonymous Coward | more than 6 years ago | (#23608393)

Yeah seriously if that data is NOT heavily encrypted these banks need to be severely penalized or shut down completely..

Re:Unencrypted? (5, Informative)

kungfoolery (1022787) | more than 6 years ago | (#23608437)

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.

Re:Unencrypted? (5, Informative)

jimicus (737525) | more than 6 years ago | (#23608507)

I'm actually currently dealing with my company's legal department in regards to shipping data tapes from the EU to the US. Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection). I believe there actually are laws in the US that requires encryption of this kind of data; but by no means are the requirements from the EU the same as anywhere else.
Encryption isn't the point.

The EU laws are more concerned with how you use the data than how you encrypt it. I can't speak for the rest of the EU, but the UK has the Data Protection Act which briefly states:

1. Data may only be used for the purposes for which it was collected. You can't ask me to fill in a questionnaire for market research purposes and then use my answers to crank up my life insurance premiums.
2. Data must not be disclosed to others without the subject's consent unless there is a legal obligation to do so. You can't sell my details to someone for marketing purposes unless I've said you can - but if the police come knocking demanding my data, that's OK.
3. Individuals have a right to access personal data, and may not be charged more than a nominal fee for this, subject to some exceptions. So I can write to you and ask what personal data regarding me that you store, but I can't write to the police and ask if they're carrying out an undercover investigation of me. (Well, I can, but they're not obliged to confirm or deny it).
4. Personal information may not be kept for longer than necessary.
5. Personal information may not be transmitted outside the EEA unless the individual has consented or "adequate" protection is in place. (Your company would probably be fine if they signed a contract saying "Regarding all data you send us, we shall store and process it within the law laid down by the EU", but IANAL).

The data protection act is one of the most misunderstood laws in the UK - it's been used as an excuse to avoid doing anything by all sorts of entities in cases where it's plainly irrelevant. Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.

Re:Unencrypted? (-1, Troll)

dotancohen (1015143) | more than 6 years ago | (#23608947)

Which is odd because it's one of the few laws which come packaged with a set of plain-English guidelines explaining what it's trying to achieve.
That's because the brits don't speak plain-English.

Re:Unencrypted? (1)

hal9000(jr) (316943) | more than 6 years ago | (#23608851)

You would think there were be laws requiring encrypted storage of PII, but even HIPAA, probably the more proscriptive gov't regulation (though woefully inadequate), doens't require it. The language is much more general requiring protections, of which encryption could be one factor.

Here's the deal, US corporations will do the absolute least to spend money on protecting data. The fines are low enough to simply not matter and there is no indication that their business suffers much of a hit.

The only way to address this and get companies to start protecting data is to make the punishment more expensive than than the fix. If a company could be fined 35% of their gross revenues per loss, not per record, and companies were fined, others would take notice. The fines that will be levied against Bank of NY will barely bump thier bottom line.

Re:Unencrypted? (2, Funny)

Anonymous Coward | more than 6 years ago | (#23609153)

Turns out, the EU considers the laws in the US as insufficient when it comes to guarding and protecting individual privacy (apparently, we're on a list of untrusted foreign entities when it comes to privacy protection)...
For one thing, the EU doesn't consider ROT-26 to be twice as effective as ROT-13.

Re:Unencrypted? (1)

erfoley (52334) | more than 6 years ago | (#23609401)

What I find to be the most annoying part of the story is that People's Bank transmitted the data to Mellon Bank encrypted. Mellon then decrypts the data, puts it on a tape and loses the tape! I work as an integration architect for a pretty large insurance company. Every piece of private information that is transmitted externally or between hosts internally is encrypted. We also use mutual authentication to reduce the chances of sending the encrypted data to the wrong place. Every laptop or desktop hard drive is encrypted. If I lose my laptop the thief will not be able to read the data on my hard drive unless he knows my password. We have this heightened level of protection for all information and Mellon puts an encrypted tape in a van and loses it?

Screw the Bank of NY (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#23608271)

I first got the HIV being humped by a sweet muffin in one of their bathrooms. Then they escorted me off the premises with a security guard (not the same one!). I know firsthand that the Bank of NY doesn't give a shit about privacy. This is odd concerning all of the glory holes that they have. And yes, I'm sure about this.

key finder (1)

Peter_The_Linux_Nerd (1292510) | more than 6 years ago | (#23608279)

They should have put one of those key finder things on the box.

God Bless America (2, Funny)

Grimbleton (1034446) | more than 6 years ago | (#23608289)

Can we please go more than a few days without this happening yet again? Thanks.

You guys worry too much. (1)

Shturmovik (632314) | more than 6 years ago | (#23608511)

It'll all be just fine.

So when is the bank declaring bankrupcy (2, Interesting)

Anonymous Coward | more than 6 years ago | (#23608293)

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

Re:So when is the bank declaring bankrupcy (4, Insightful)

Hankapobe (1290722) | more than 6 years ago | (#23608413)

Well, once 4.5 million people have sued them for breaching their privacy through negligence there really isn't much point staying open is there. Or we could have some fun and teach them a lesson the old fashioned way, run on the bank anyone?

It wouldn't work. The Fed and possibly Congress themselves would bail the banks ass out to "protect our financial stability" or some other nonsense.

When you're a big corporate entity in America, you don't have to worry about such trivial things that would put the little guy without the Government connections out of business.

Re:So when is the bank declaring bankrupcy (3, Interesting)

Vectronic (1221470) | more than 6 years ago | (#23608483)

http://en.wikipedia.org/wiki/Bank_run [wikipedia.org]

or skip to:
http://en.wikipedia.org/wiki/Bank_run#History [wikipedia.org]

If 4.5 million people is only a fraction of the data the bank had (assuming all data they have is equal to the amount of people they cater to) then if say 20,000,000 people withdrew their money, they'd be fucked, even if they only withdrew $200

Especially considering the decline of the USD, granted, it probably wouldnt lead to a major event like the 'Great Depression' (although its possible) but it would kill that branch, break some bird eggs, make an omelet, etc.

If the "Government" bailed them out (which would technically be the bank giving the government money to bail the bank out) the USD would plummet even further to probably mere tens of pennies.

Re:So when is the bank declaring bankrupcy (3, Interesting)

Hankapobe (1290722) | more than 6 years ago | (#23608495)

I'm aware of bank runs and what they did in the past in the US. Those days are gone. It would have no effect - even on that particular branch. The Bank of New York is a monster mega bank. It has over 100 Billion dollars in assets. This isn't some local yocal bank that Jimmy Stewart runs. And even then, with FDIC insurance, and the current rules for cash reserves, it won't happen. Regulations have been placed here in the US to prevent such a thing happening.

Re:So when is the bank declaring bankrupcy (1)

Grimbleton (1034446) | more than 6 years ago | (#23608541)

Yeah, Jimmy Stewart's bank is here in Indiana, PA, if anywhere.

Re:So when is the bank declaring bankrupcy (5, Insightful)

Angostura (703910) | more than 6 years ago | (#23608583)

It has over 100 Billion dollars in assets.


That's nice for it. The question is how liquid are those assets and how much cash can it actually get its hands on at short notice. As banks in Britain have noticed, assets just ain't worth what they were.

Re:So when is the bank declaring bankrupcy (4, Insightful)

SpinyNorman (33776) | more than 6 years ago | (#23608871)

US bank assets arn't any better. Bear Stearns had 3.5 x the assets of Bank of NY (350B vs 100B), and that did not stop them from all but disappearing literally overnight before the Fed stepped in to bail out the Bear stockholders with taxpayers money.

It's not just a matter of asset liquidity, but also of quality and mark-to-market value. Right now the issue is of toxic mortage securities that may be on the books at face value but in reality are worth who knows what. Thanks to the repeal of the Glas-Seagal act, there's nothing stopping commercial banks like Bank of NY from making the same stupid decisions as investment banks like Bear Sterns, and who wants to bet that the commercial banks know the markets any better than the investment banks (I'd have assumed the opposite).

Re:So when is the bank declaring bankrupcy (1)

Anonymous Coward | more than 6 years ago | (#23609763)

Bear Sterns is an investment bank. This is different from 'regular' commercial banks like Bank of NY that are heavily regulated and insured by the feds. It's important to distinguish between these types of banks, they are very different animals with different types of investments, leverage, and risk. That will help you to understand the subprime crisis and its more recent spillover. The consensus now is that investment banks will be regulated more since Bear Sterns went under though.

Re:So when is the bank declaring bankrupcy (1)

Vectronic (1221470) | more than 6 years ago | (#23608589)

That may be, but what are the assets? and where does the money come from? Especially if those people who withdrew their money, either keep it, or convert it.

Inflation is the only resolution, well, I suppose if worse came to hell, The Department Of The Treasury, could simply say "alright, that money is no longer legal tender anyways" and switch to something else.

As a side note:
"The company [BNY] has annual revenues of about $13 billion, and pro-forma market capitalization of about $50 billion. ...
It also services more than $11 trillion in outstanding debt."

63 Billion? So if those 20 Million withdrew $3150 each (or on average) they wouldnt make anything that year.

Think about how other banks and countries would react to that, "oh shit, get out now" amplifying the "Bank Run"

Re:So when is the bank declaring bankrupcy (1)

rohan972 (880586) | more than 6 years ago | (#23608663)

So if those 20 Million withdrew $3150 each (or on average) they wouldnt make anything that year.
The problem with this plan is than most of their customers are net borrowers. Taking their business elsewhere would mean paying that money to the bank, not withdrawing it. Sorry.

Re:So when is the bank declaring bankrupcy (0)

Anonymous Coward | more than 6 years ago | (#23608695)

The Department Of The Treasury, could simply say "alright, that money is no longer legal tender anyways" and switch to something else.
Bananas?!

Re:So when is the bank declaring bankrupcy (0)

Anonymous Coward | more than 6 years ago | (#23608721)

It has over 100 Billion dollars in assets.
100 billion in assets... like thousands of now worthless homes perhaps?

Re:So when is the bank declaring bankrupcy (1)

SpinyNorman (33776) | more than 6 years ago | (#23608769)

Regulations were put in place... and have since been undone. The Glass-Seagal act was repealed in 1999.

Here's an idea (0)

Anonymous Coward | more than 6 years ago | (#23608791)

Don't use the bank. Pick a different one. Or stow your fortunez under your mattress. A bank can't make money if you don't lend yours to them.

Re:Here's an idea (1)

Vectronic (1221470) | more than 6 years ago | (#23608881)

Which is what intelligent people do. At least a signifigant portion of their money, and the really smart, put it into things like jewelry, which no matter where, what, or who you can always get something in return for it.

If shit hits the fan, what are you going to do with your little piece of plastic? Well, I suppose you could maybe chop your food, wait... what food?

Re:So when is the bank declaring bankrupcy (2, Insightful)

Chapter80 (926879) | more than 6 years ago | (#23609237)

It has over 100 Billion dollars in assets.
Keep in mind that depository accounts at a bank are considered the bank's _liabilities_. A bank's outbound loans are their assets.

So if you go in and attempt to withdraw your money on deposit, and they pay you with an asset (other than cash on hand), they'd have to somehow give you a note - an IOU, where someone owes the bank money. That doesn't work too well.

If you don't think bank runs exist today, you need to just look back 2 months ago, to the Bear Stearns failure. [wsj.com]

Re:So when is the bank declaring bankrupcy (0)

Anonymous Coward | more than 6 years ago | (#23609495)

Can you imagine if Jimmy Stewart had to explain something like this?

"Well, truth is, Mr. Potter...I uh...well that is to say...those unencrypted tapes I was carrying in my car fell out the window when I was driving to town. You see, the dirt road is pretty bumpy, and Cousin Tilly had just spilled his drink when I was leaning over to help...and uh...darn it all if I didn't turn around and not see those tapes!"

Re:So when is the bank declaring bankrupcy (3, Informative)

Orange Crush (934731) | more than 6 years ago | (#23608841)

Disclosure: I work for BNY Mellon, and no, I have nothing to do with any of this. But we're not a traditional retail bank. It's mostly asset management (running mutual funds, portfolios, etc.). Not the kind of thing you can really make a "run" on.

Re:So when is the bank declaring bankrupcy (2, Interesting)

Chapter80 (926879) | more than 6 years ago | (#23609185)

the USD would plummet even further to probably mere tens of pennies.
Isn't that true now? The USD is worth ten tens of pennies.

:-) Just thought that wording was interesting!

Re:So when is the bank declaring bankrupcy (2, Informative)

tompaulco (629533) | more than 6 years ago | (#23609087)

The article says that Archive America lost the tapes, so how is this the banks fault? And why does the heading says Bank of NY loses this data, when in fact it was Archive America which lost all this data? My guess is because Bank of NY has money, but Archive America doesn't.

Re:So when is the bank declaring bankrupcy (0)

Anonymous Coward | more than 6 years ago | (#23610143)

The article says that Archive America lost the tapes, so how is this the banks fault?
You plan for when things go wrong, not for when they go right.

The tapes were leaving the bank's control, so they should have planned for the possibility of attackers going after the data.

Even a few years ago encrypting your tapes was an onerous task, but now tape drives (e.g., LTO-4) have built-in AES encryption, so it's simply a matter of configuring your back up software to use the functionality. A few tens of thousands of dollars for new equipment is a lot cheaper than the legal fees of a possible law suit.

You don't even need to use encryption for all the tapes, only the ones in the "Offsite" pool.

Stupid (2)

MortenMW (968289) | more than 6 years ago | (#23608321)

Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

Re:Stupid (5, Insightful)

mrbluze (1034940) | more than 6 years ago | (#23608405)

Sending sensitive information from a bank to another company without encrypting it is just reckless and stupid.

This is (just) showing up the way business is done everywhere - on the cheap.

On the surface, all companies go to the trouble to look good - glossy ads, well appointed offices, important landmark locations, etc. But often, just like in a restaurant, out the back it's all dim lighting, rusty hinges, paint peeling off walls etc.

Now I'm not saying all companies, but companies of a certain culture. The rest of this comment was going to be total flamebait so I'll leave it there.

Re:Stupid (5, Insightful)

Gazzonyx (982402) | more than 6 years ago | (#23608491)

I've got karma to burn, I'll say it for you. This is the problem with MBAs who only watch the bottom line and "know the price of everything and the value of nothing". (stolen from someone on /. from a couple days ago. It's a great quote) The culture you're talking about is the culture of marketing and management making technical decisions they wouldn't dare have the guts to even try to explain to the average slashdotter. I guarantee somewhere there's an admin trying his best not to scream "I told you so". If there isn't, there should be one out of a job for sheer ineptitude. You don't store or transmit data in plain text, ever, period. Especially when it's actual customer information. For craps sake, I'm a developer and I know that much about administration. No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn. Flame on.

Re:Stupid (3, Informative)

Prune (557140) | more than 6 years ago | (#23608779)

Great job citing proper sources *rolleyes*. The quote is from Oscar Wilde and is "The cynic is a man knows the price of everything and the value of nothing." A fucking Google search would have told you that with the first result!

Re:Stupid (1)

zevans (101778) | more than 6 years ago | (#23609255)

According to Google just about EVERYTHING was first said by Wilde or Twain...

Meh (2, Funny)

Gazzonyx (982402) | more than 6 years ago | (#23609863)

Why bother citing when someone will come along and tell you whom it is you're quoting, anyways ;)

Re:Stupid (2, Insightful)

Tycho (11893) | more than 6 years ago | (#23609269)

Hypothetically speaking, events like these these shouldn't be unexpected. If the security policies were initially decided on by executives, managers, outside consultants, and sales reps from Microsoft and HP, what do you expect? If the executives just signed off on what he saw and didn't do any research beforehand personally on best security practices using outside resources. If the IT managers were inept, clueless, and had no background in IT and at their last posting in Customer Service and if these managers are only interested in getting promoted and transferred to the another department. If the consultants were airheads and despite claims to the contrary and an even with a expensive presentation had offered no useful information. If the sales reps from Microsoft and HP were just interested in selling an excessive number of expensive Intel-based servers with several $100K subscription-based licences for Windows 2008 Server. If these things were to happen, it would seem to me that this would indicate that there were serious problems with the managerial staff of such a company.

On the other hand, this situation may have been the result of a failure of imagination. If for instance, mailing these tapes became standard policy even though these tapes were never intended to have left the original facility and thus the records on the tape were never encrypted, this would have been a serious breach of the original security policy. The customer data should have been encrypted in every case, regardless of the storage medium used.

Strangely enough, I think that some of the problems that are faced in industrial worker safety are similar to those in computer security and that one might find a few useful concepts in a safety review of a BP refinery fire here:

http://www.bp.com/liveassets/bp_internet/globalbp/globalbp_uk_english/SP/STAGING/local_assets/assets/pdfs/Baker_panel_report.pdf [bp.com]

I think that the concepts of process safety, which involves the safety in the design of the system are important. Also the concept of open communication between employees and management with no retaliation for mentioning a legitimate potential safety issue is also important.

Re:Stupid (1)

jacobsm (661831) | more than 6 years ago | (#23609749)

I agree with you 100% percent. If management can spend 99 cents to implement a vastly inferior solution rather than one dollar to implement the perfect solution, guess which one wins every time. The corporation that I work for experienced a similar accident several years ago. We now use a hardware based solution to encrypt all tape data that leaves the data center. It's not too hard or expensive to do, all it takes is the will to do it. I guarantee that the required "management will" will be enhanced once they are threatened with jail time, or the loss of their multi-million dollar pay checks for any future data loss of this type.

Re:Stupid (1)

davie (191) | more than 6 years ago | (#23609903)

No, this was probably a decision made by someone who manages what they don't understand and can't be bothered to learn.

I think you just described most of the people in management in American corporations. I hope the number is better elsewhere, but I doubt it. Until we stop chug-a-lugging the "stupid people can manage anything without knowing anything about it" Kool-Aid we're going to keep suffering the same failures. How long can America survive when the smart people stay on the sidelines building wealth and leave the idiots to run everything?

Trying to find a cube I would want to call home. (1)

SomewhatRandom (1299167) | more than 6 years ago | (#23609121)

In my experience many companies that should care about security don't. I have consistently made companies handling personal information (banks, insurance agencies...) aware of glaring inadequacies in their IT/physical security implementations, and provided recommendations on how to remedy the issues. The usual response to this is to be told that they aren't going fix them, so stop bringing it up. As I learn more in the areas of network engineering, programming, and database administration I see more and more vulnerabilities.

I see programmers taking shortcuts either due to ignorance, ineptitude, or unrealistic project deadlines being pushed on them. Most programmers don't have a very good understanding of security or network engineering/administration which often exacerbates the issue.

I see a pool of generally incompetent networking engineering/administration staff available every time I begin to interview to fill a position. I see network engineering/administration 'professionals' who eagerly drop responsibility like a hot potato by handing off projects to other business units (EX: development). Once the project is handed off they are often unwilling to work on educating employees in the other business units on items like security. To be a truly valuable network engineer you need to learn multiple technical disciplines and to work with them.

I see management make decisions without appropriately defining project scope, goals, and requirements. I have seen well-planned and thought out projects to enhance security denied simply on the basis that they provide no new shiny feature for management to fawn over or advertise. Management often views security as a cost and as much as they may love to throw around various business terms like Value-Added, Responsibility, Efficiency..., they don't really understand what they mean.

There usually isn't one department to blame. What I have seen is that there are not many 'jack of all trades, specialist of most' and unless your business is strongly compartmentalized with an excellent management team defining policies, procedures, project scope, requirements, goals etc... your business will suffer these issues. The problem being, very few companies can afford this type of configuration (HP, Dell, Defense contractors, etc..). Additionally, if you are a 'jack of all trades, specialist of most', you most likely have avoided working for these companies out of fear of being locked into one functional area, stunting your growth in others.

Based on the above, my question is where does a 'jack of all trades, specialist of most' go to be satisfied in their career?

1.) A large enterprise, where it is likely you will be focused on one functional area and bored.
2.) A small-mid size business where you are likely to see what you would consider atrociously handled sensitive data.
3.) A small-mid size business that doesn't handle sensitive data, but as a result doesn't pay very well and is often not very challenging from an IT perspective.
4.) Become an independant consultant at immense personal financial risk only to learn that you still have to work with the above companies?
5.) Other

to the other (IT focused) 'jack of all trades, specialist of most' out there, are you happy with your career? If so, what do you do - I am looking for some better options.

P.S.
On a side-note I learned something about myself from posting this - I am a lot more bitter than I thought.

Re:Trying to find a cube I would want to call home (1)

Gazzonyx (982402) | more than 6 years ago | (#23610165)

Great post, man! As to your question; I'm in college and doing an internship at a small (~20 employees) local company as their 'tech guy', although my major is software development. It's great because while I only make $11/hour, I've gained knowledge and experience in almost every imaginable field.

Our warehouse manager has a degree (or was just a few credits shy of it) in graphical design, and has just decided to go back and work on software development after we've talked about the lack of people who have the ability to both code and do graphical design. He's also started to get in to Linux as we've talked about it... he run Mac at home, so it's easy to use bootcamp/fusion. We constantly give each other ideas. Every now and then, we go off on a tangent and just 'do something'.

That's the value of the small business in my experience. You really do have an ability to influence and encourage your coworkers in a positive way. Also, getting a 'critical mass' to change the way things are done is much easier. I've started to get to the point where if I truly believe I have a good idea (say... encrypting the backups), and feedback from my coworkers is positive, but management disagrees or doesn't listen long enough to understand (I'm still mastering the elevator pitch) what I'm driving at, I'll just do it. The small business arena is the only place where you can away with this. Just do it, document it and own up if it blows up in your face. If you're, in the least, technically competent, you probably have more job security than you think and if you get fired, you'll land on your feet. Mediocre techs/admins/coders are a dime a dozen, but experienced and talented employees (not to mention jack of all trades, specialist at most) are hard to find and aren't unemployed very long.

Re:Stupid (1)

IsThisNickTaken (555227) | more than 6 years ago | (#23608685)

Once they decide to encrypt the information, what are the chances of the passphrase written on a Post-it on the tape?

Digital leakage is getting to be more like (3, Interesting)

3seas (184403) | more than 6 years ago | (#23608373)

digital diarrhea...

So what exactly is homeland security about? Its obviously not about protecting US citizens.

As a government body, shouldn't homeland security be involved in helping to prevent such digital leakage, even if just setting down the rules to follow and pursuing violators of the rules?

Re:Digital leakage is getting to be more like (2, Interesting)

Yvanhoe (564877) | more than 6 years ago | (#23608539)

There is a very good possibility that these data were stolen, not "lost". What is the black-market value of 4.5 million IDs ?

Re:Digital leakage is getting to be more like (4, Insightful)

Vectronic (1221470) | more than 6 years ago | (#23608619)

Agreed

FTFA:
"he [Blumenthal] said that he is pressing the bank to explain how some backup tapes disappeared while others on the same van arrived intact at the Archive America facility."

It's not a situation where it all got sent to the wrong place, or trashed accidentally, it was (what I would consider) obvious and intentional theft.

However, that doesnt mean that it was intended to be sold as a "bundle" on the Black Market, it could just have easily been some disgruntled worker with no real "plan" other than to fuck with the company, or even just get one individuals information from the 4.5 million (although I would likewise assume the former, Black market)

Re:Digital leakage is getting to be more like (4, Insightful)

NotBornYesterday (1093817) | more than 6 years ago | (#23609029)

Dunno. I haven't shopped any fake IDs or credit cards. By sheer swinging, wild-ass guess, I'd propose the following:

Let's say that one out of 100 accounts gets pilfered lightly - says $100 is mysteriously transfered. That's $4.5 million. Let's say that another 1 out of 100 has their info used to produce fake IDs, and those IDs are sold to illegal immigrants/terrorists/underage college kids/whomever for $500 each. That's $22.5 million.

So, close to $27 million if you only abuse 2% of the victims.

What absolutely blows my mind is that if a bank transfers $4.5 million, they use multiple armed guards driving an armored truck. When they transfer 4.5 million customers' worth of data (worth presumably more than $1 each), they use ... who exactly? Archive America? Does anyone know what kind of security measures these jokers take?

$4.5 million of the bank's money goes missing in a armored car heist, it makes national news immediately, and stays on for weeks. 4.5 million people have their information stolen, and the bank says ,"Meh, 'sno big deal. We'll tell them in a few months."

Re:Digital leakage is getting to be more like (1)

NotBornYesterday (1093817) | more than 6 years ago | (#23608897)

<tinfoil hat>
<paranoia>
<humor>

Dear Mr 3seas:

Thank you for your interesting suggestion. While it is true that we here at the DHS have done a marvelous job leveraging fear to create a humungous, overprotective nanny institution, we have not yet been entrusted with protecting the private banking details of everyday Americans. Unless you can provide some information that links this event to terrorism, (eg, the comprimised accounts are filled with terrorist funds, terrorists stole the tapes, the driver of the delivery truck had dark skin and/or foreign accent and/or turban) I'm afraid there's not much we can do in this case. If you do have information that relates this event to terrorism, and would like to report it to us, simply sent a plaintext email to ... well, I guess it doesn't matter who you send it to, just sent it in the clear so we can read it. we'll take it from there.

In the meantime, if you would feel more secure with DHS protecting your financial well-being, please write your Congressman in support of our bill to include the SEC in our growing family of subordinate government institutions. Remember, we're here to serve you, the loyal American, in any way we can.

Regards,
DHS

</humor>
</paranoia>
</tinfoil hat>

Re:Digital leakage is getting to be more like (0)

Anonymous Coward | more than 6 years ago | (#23609593)

What you suggest is NOT the purpose of The Department of Homeland Security.

There is already a government regulating body with intent to prevent such gross errors by financial institutions, the FFIEC [ffiec.gov] , in addition to other state and federal audits.

Always... (1, Interesting)

owlnation (858981) | more than 6 years ago | (#23608391)

It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".

Re:Always... (1)

jimicus (737525) | more than 6 years ago | (#23608531)

It's important to remember things such as this when the usual brainwashed-by-Fox conservatives say stuff like: "if you've nothing to hide, they why are you worried about privacy".
Things such as this are always a lousy counter-argument to that.

I can thing of plenty of other things to say. Like "What are your bank details?"

"How do you feel about your mother in law?" (ask when their spouse is within earshot)

"How much do you spend on golf clubs?" (again, ask when their spouse is within earshot)

Though to be fair, IME most people of the "nothing to hide" mentality are already so far down that road that they're way beyond reason.

really? again? (3, Interesting)

knight0wl (1183645) | more than 6 years ago | (#23608433)

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.

Re:really? again? (3, Interesting)

Flamora (877499) | more than 6 years ago | (#23608497)

Yes, but you see, the encryption means that the bank itself has to do the work. In the case of lawsuits and PR issues, they have PR people and lawyers to deal with that, so the bank doesn't do much more work than lifting a finger and saying "go, mortal, and do thy job" or something.

Re:really? again? (2, Insightful)

jimicus (737525) | more than 6 years ago | (#23608533)

Events like this seem to have become a near-monthly event. I would've thought banks and credit card companies and thier ilk would have learned thier lesson the first time something like this made news and started at least encrypting this stuff. Or at least the second time it happened. Or the third, maybe if we're cutting them a lot of slack. Yes, it's expensive and yes it's hard work, but it'd be less expensive than a potential 4.5 millian lawsuits and less work than the PR mess that they now have to clean up.
Maybe they haven't learned because none of these incidents have yet resulted in the "4.5 million lawsuits" you're talking about.

Re:really? again? (2, Interesting)

knight0wl (1183645) | more than 6 years ago | (#23608657)

Yep, you're right. I honestly don't know why they haven't (or at least a class-action suit or something similiar). I'd love it if one of those "IAAL" types could fill me (and others) in on that.
My point was simply that it would seem prudent to plan for worst-case senerios. I would think that profit-seeking entities would someday learn how profitable risk management can be, in the long run.

Yes, I'm also aware "the long run" doesn't seem to be in our current corporate culture's lexicon. Hmm... it's possible I just answered one of my own questions.

Re:really? again? (2, Funny)

Chapter80 (926879) | more than 6 years ago | (#23609273)

Actually, the data was encrypted using a complex algorithm called ASC2 or ASC II or something like that. I'm sure the data is safe. No one will be able to decode it. It's gibberish, written in just zeros and ones. If your Social Security Number contains even ONE digit in the range of 2-9, you should be fine.

Sorry for not revealing too many technical details. I'd hate to give a criminal too much to go on.

They can't determine what was on the missing tapes (0)

Anonymous Coward | more than 6 years ago | (#23608439)

They can't determine what was on the missing tapes

"The forensic investigation initially identified approximately 270,000 individuals and 409 institutions with data on the tapes. The Company worked closely with its institutional clients to notify these individuals, which was completed by early April."

"The continuing forensic investigation also identified approximately four million additional individuals and 293 additional institutions with data on the tapes. This data took longer to identify and extract because of the manner in which it was stored on the tapes, and BNY Mellon Shareowner Services immediately began the process, in coordination with its institutional clients, of notifying these individuals and offering them comprehensive fraud protection services."

http://www.bnymellon.com/tapequery/shareownerservices.html

Those backups weren't worth a damn? (2, Insightful)

rtfa0987 (1260014) | more than 6 years ago | (#23609221)

"They can't determine what was on the missing tapes"

---

If that is truly the case, then those tapes wouldn't have been worth a damn for restoration if there had been a disaster.

The Responsible Thing (4, Funny)

not_surt (1293182) | more than 6 years ago | (#23608455)

The bank should do the responsible thing and offer every affected customer a new identity.

Re:The Responsible Thing (1)

notseamus (1295248) | more than 6 years ago | (#23608977)

Banks are going to have to start to treat customer records with as much gravity as they would physical cash. Otherwise this will happen again and again, and people will start losing money as a result.

Amazing how rarely this happened until recently .. (1)

Anonymous Coward | more than 6 years ago | (#23608465)

Or more likely, it happened all the time, and the organisations in question were given carte blanche to cover it up. Now that there's been plenty of these in the news, everybody is frantically owning up to their sins before legislation is passed that adequately punishes their neglect.

Re:Amazing how rarely this happened until recently (3, Insightful)

Vectronic (1221470) | more than 6 years ago | (#23608521)

It's always happened to some degree, the major difference is similar to the history of money itself.

It wasnt till recently that millions of peoples records was held on digital/analog media. Most things were still carried out via paper and pen which made the loss of millins of peoples data require dumptrucks.

It wasnt till around 2001 or so that things really became "online". And these things are only going to happen more and more frequently now, because as much scare as there may be when this stuff hits the news, it doesnt overrides peoples inherit laziness "oh a few clicks? fuckin A"...

Most people with a lot to lose (millions/billions of dollars), still do not do transactions via digital media, certainly not in an outgoing direction. Until they are hit, this probably wont change no matter how frequently it happens.

creators ignore red tape to keep 5 billion clients (-1, Troll)

Anonymous Coward | more than 6 years ago | (#23608599)

alive. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is WINDing DOWn now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Somewhere in Archive America's... archive (1)

192939495969798999 (58312) | more than 6 years ago | (#23608617)

(Enter guy carrying way-too-full box of tapes)
la la la...
trip...CRASH!!!!

uh-oh, spageddios!

(Back at the bank of NY)
wah wah wah waaaaaah.

I am one of the people affected (5, Interesting)

barzok (26681) | more than 6 years ago | (#23608637)

I got a letter on Thursday informing me of the breach. It gave this URL: http://www.bnymellon.com/tapequery/ [bnymellon.com]

This page has changed since Thursday. Originally it was only one incident, now it's two. The letter said that I'd get 1 year of credit monitoring at all 3 bureaus, free; when I signed up, I was given (and the page above) two years. The letter said there was no indication that the information had been used, but it also didn't mention what the summary here says - that SSNs and birthdates were on those tapes (I assumed they were).

What really pisses me off isn't that it happened - it's that it took them three fucking months to inform me.

I have 2 accounts with them (for the same employer, which is really stupid). One account requires my SSN, the stock ticker, and a 6-digit PIN. Digits only. Not terribly secure - there's only 10^6 possible PINs, my SSN may be in someone's hands, and there are only a couple thousand stock tickers. The other is a seemingly random ID and a 6-31 digit PIN. My previous PIN was 12 characters. The new one is 31.

I reset both my PINs Thursday night, which took about half an hour - the sites, while not normally speed demons, were obscenely slow that night. I'm hoping it's because people were changing their PINs.

Re:I am one of the people affected (4, Insightful)

barzok (26681) | more than 6 years ago | (#23608687)

Sorry to be replying to myself, but when I wrote my previous post I wasn't able to get to TFA. Now I can.

TFA has a lot of information which wasn't given to customers in the letter. The tapes were unencrypted? I can believe that. I kind of assumed it, which is a sad state of affairs. There were names, DOBs and SSNs on the tapes? That I can believe, and assumed, but like I posted above, it wasn't made known via the notice that was sent out.

But how the hell can this guy say "that none of the unencrypted data has been accessed or used?" That's impossible for them to know. The tapes are out of their physical control - the people in possession of them now could have skimmed all those records off already, and just haven't used them yet.

The article doesn't mention the $25K of "insurance" that we get by signing up with the free credit monitoring. Except I'm an NY resident, and by NY state law they can't offer such insurance to me. WTF?

So here I sit, having managed to go 30 years with a lone incident of a "guessed" CC number as my only brush with identity theft, and now I'm left to be looking over my shoulder for the next several years thanks to this.

Re:I am one of the people affected (0)

Anonymous Coward | more than 6 years ago | (#23609381)


Me too.


What pisses me off is not only that these slobs lost the tapes, but also that now that I've signed up for the credit reporting, they require a SSN for login (https), then they say that it will require 7-10 days for the credit reporting profiteers to actually get me a credit report - but they'll be happy to sell me one today. So I am compelled to wonder, does BNY own a chunk of the credit reporting agencies?


I think a class action suit sounds like a wonderfully good idea. Since this happened to me because I own stock in these guys (not a lot) can I sue them twice - once for losing my info and once because as a shareholder with an interest in keeping the company profitable?

When will business listen and stop using SSN? (2, Informative)

gatkinso (15975) | more than 6 years ago | (#23608661)

IIRC, the Social Security Administration itself lambasts this practice on the grounds of 1) the SSN was never meant to be a defacto ID number, 2) they explicitly promised it would not be used as such, and 3) it is completely insecure.

Oh well, too late now.

Re:When will business listen and stop using SSN? (2, Informative)

S.O.B. (136083) | more than 6 years ago | (#23609517)

In Canada it is illegal to use a SIN (Social Insurance Number) to identify a person for the purposes of a financial transaction. Employers can't even use it as a way to track employees.

Not that there aren't plenty of other ways of stealing people's identities but at least the government is impeding one of the easiest.

Re:When will business listen and stop using SSN? (0)

Anonymous Coward | more than 6 years ago | (#23609717)

Though banks must collect SIN numbers for the purpose of reporting your earned income (interest, dividend, etc.)

That's fine - just pay reasonable compensation (2, Interesting)

AaronLawrence (600990) | more than 6 years ago | (#23608763)

Damages for possibly identity theft and access to your bank account? Hm ... lets pick a figure out of the air of (say) the value of any actual losses plus compensation of (say) $5000 ... triple that as punitive ... so all they have to do is pay up 15 billion dollars and they can continue! No problem.

Punishment (0)

Anonymous Coward | more than 6 years ago | (#23608937)

I hope the executives and all those staff involving in the storage of that data are held accountable. I would fire the lot and ensure they never work with sensitive data again in their careers.

Transport ONLY Encrypted Media (1)

Doc Ruby (173196) | more than 6 years ago | (#23608965)

Banks never transport the life savings of 4.5 million people without an armored car. There's probably even a lot of laws that prohibit such blatantly reckless behavior, to say nothing of their insurance coverage depending on following those rules. And if they do "lost" that life savings in transit, without an armored car, the bank has to replace it at the bank's cost, even if that drives the bank out of business.

Of course these people's life data is no different: the bank is responsible for protecting it. So the bank should be required to transport only encrypted media (in an armored car). If the bank "loses" the data, the bank should have to pay and organize the resecuring of all that data, including notifying all the many databases that maintain it, changing ID numbers, getting new ID cards, etc, at absolutely no cost in time or money to the people. And the bank should pay a service that monitors those people for ID theft for at least a dozen years, if not the rest of their lives, and assume liability (for losses and extra bureaucratic work) for any fraud using the data the bank "lost".

There oughtta be a law. As long as the cost of these "accidental losses" is minimal to the banks and other corps handling the data, they will of course spend as little as possible on securing it.

In fact there should be a Federal database of people whose personal data has been exposed. Every database that maintains any significant amount of personal data should be required to check that database every day or so to be sure they aren't using data exposed elsewhere. If they are, they should have to notify the FBI, the org that exposed the data, and the person whose data was exposed, then initiate the replacement process at the cost and effort of the org that exposed it.

Of course such a DB of exposed (and therefore exploitable, and at a rich org's expense) data would be extremely valuable, and the world's primary target of attacks by fraudsters and other bad guys. And the government (especially the one we have today) would be tempted to datamine that data for many other big brother purposes, all supposedly to "protect us" (from "the terrorists", etc). The government would love to use such a service as a pretext for other tyrannies, like a required "national ID card". But securing such a DB, even by the government, is absolutely possible. There are many databases already in use that are never compromised, in both government and private control. If the incentive and procedures are strong enough, this is an operation we can pull off. Probably if supported by a Constitutional Privacy Amendment that puts teeth back into the 4th Amendment, the government would protect our data at least as effectively as it protects, say, our nuclear arsenal. There might be some abuses, but they'd be much fewer, and the damage would be recovered by the irresponsible party instead of ruining the people's lives.

Its Inevitable ... (1)

LaughingCoder (914424) | more than 6 years ago | (#23609097)

People will always make mistakes. They'll be careless and "forget" to encrypt. Or they'll put a post-it with the decryption key on the media. Or they'll disclose decryption information via some other easily intercepted channel (social engineering). Plus, consider the ever advancing capabilities of brute-force decryption technologies. Add to that malicious actions where people actively try to defeat security measures. 3 million IDs released today. 2.5 million next month. 12 million 6 months from now. You can only conclude that eventually (10 years? 20 years? sooner?) every US citizen's name, SSN, address, email address, birthdate, mother's maiden name, first pet's name, favorite sports, high school yearbook pictures, etc. will be widely available to anyone who wants it. So what do we do then? Clearly we will need a much tighter (biometric?) method of identification.

Re:Its Inevitable ... (1)

ratboy666 (104074) | more than 6 years ago | (#23610133)

No, it isn't

"in-line" encryption appliances. Tape specific devices, etc.

I'll let you in on HOW they work -- each tape is labeled and barcoded. The barcode/label is scanned, automatically by the tape device. This causes a key to be generated and stored on a key server ("security appliance"). The key is associated with the label. The key is used by hardware to encrypt the data (using AES-256 or better).

The security appliance is FIPS-140 B certified (tamper evident). Also, the key can be centrally destroyed, rendering the tape useless instantly (WHEREVER it is).

Systems like this would be the wet dream of CEOs everywhere, since, as a side-effect, they offer instant plausible deniability (anything can be converted to gibberish).

WHY unencrypted? W (1)

dpbsmith (263124) | more than 6 years ago | (#23609281)

We get story after story, month after month, about organizations like the Bank of New York or Los Alamos National Laboratories or the British Ministry of Defence losing tapes and disk drives and always, always, always the data is said to be unencrypted.

WHY don't all those centralized-configuration-managing IT departments check the FileVault or the BitLocker checkbox on every laptop that comes in the door?

That fancy automated remote configuration-management software keeps everyone's internal purchase-requisition application in sync... when they're doing the remote update why don't they install TrueCrypt at the same time?

Why don't their purchase orders to Dell for 10,000 new PC's say that as long as they're custom-preinstalling all that other crap anyway they might as well include a commercial encryption package?

Put indignation aside. What, exactly, is the real human organizational and managerial reasons why encryption just doesn't happen?

Are they more worried about employees keeping information from superiors than they are about losing sensitive information to outsiders? Or what?

Losing data tapes is no big deal (1)

davidwr (791652) | more than 6 years ago | (#23609887)

Letting unencrypted or insufficiently-encrypted data out of their building is.

Sufficiently-encrypted means it can't be broken in a time-frame to be useful to an adversary. If the data is a politician's accepting of a bribe or paying an escort service, that means the life of the politician in question or more.

False outrage does nothing (1)

hieronymus (763770) | more than 6 years ago | (#23610115)

Despite the near monthly occurrences of these incidents, the fact is that they have very little material impact to the companies who perpetrate them. If consumers, rather than venting on message boards, would in some numbers actually act in such a way that really affects these organizations (like moving their accounts to another bank) you would see more attention. In fact, so few do that there is very little economic disincentive to take any real action by the banks. Send out a contrite press release and be done with it. We saw this week that very little seems to have changed in the security culture at TJX after their breach. Why should it? Their revenue has increased since the incident happened.

bony bony bony (0, Offtopic)

Chukcha (787065) | more than 6 years ago | (#23610215)

bony bony bony bony

Is it just me, or this kind of fun say?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?